PEM is a container file format usually used to retailer cryptographic keys. It’s used for a lot of various things, because it merely defines the construction and encoding kind of the file used to retailer a bit of knowledge.
What Is a PEM File?
PEM is simply a regular; they include textual content, and the format dictates that PEM recordsdata begin with…
…and finish with:
Everything in between is base64 encoded (uppercase and lowercase letters, digits,
/). This varieties a block of knowledge that can be utilized in different applications. A single PEM file can include a number of blocks.
This can be utilized to signify all types of knowledge, however it’s generally used to encode keyfiles, resembling RSA keys used for SSH, and certificates used for SSL encryption. The PEM file will let you know what it’s used for within the header; for instance, you may see a PEM file begin with…
-----BEGIN RSA PRIVATE KEY-----
…adopted by a protracted string of knowledge, which is the precise RSA non-public key.
PEM Files with SSL Certificates
PEM recordsdata are used to retailer SSL certificates and their related non-public keys. Multiple certificates are within the full SSL chain, and so they work on this order:
- The end-user certificates, which is assigned to your area identify by a certificates authority (CA). This is the file you utilize in nginx and Apache to encrypt HTTPS.
- Up to 4 non-obligatory intermediate certificates, given to smaller certificates authorities by greater authorities.
- The root certificates, the best certificates on the chain, which is self-signed by the first CA.
In apply, every certificates is listed in a PEM file, utilizing seperate blocks:
-----BEGIN CERTIFICATE----- //end-user -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- //intermediate -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- //root -----END CERTIFICATE-----
You’ll be given these recordsdata out of your SSL supplier to be used in your internet server. For instance, LetsEncrypt’s
certbot generates the next certificates, positioned in
/and so forth/letsencrypt/reside/your-domain-name/ :
cert.pem chain.pem fullchain.pem privkey.pem
cert.pemis the end-user certificates.
chain.pemis the remainder of the chain; on this case, it’s solely LetsEncrypt’s root certificates.
chain.pemmixed. This is the file handed to nginx with the
privkey.pemis an RSA non-public key generated alongside the certificates.
These can also use the
.crt extension; for those who’ve self-signed a certificates with OpenSSL, you’ll get a CRT file slightly than PEM, although the contents will nonetheless be the identical, and the utilization would be the identical.
To use your certificates, you’ll need to cross them as parameters to your internet server. For nginx, you’ll wish to specify the
ssl_certificate (the total chain PEM file), and
ssl_certificate_key (the RSA non-public key PEM file), after turning on SSL:
ssl_certificate /and so forth/letsencrypt/reside/yourdomain/fullchain.pem; ssl_certificate_key /and so forth/letsencrypt/reside/yourdomain/privkey.pem;
For Apache, setup is basically the identical, however you’ll want to make use of the
SSLCertificateFile /and so forth/letsencrypt/reside/yourdomain/fullchain.pem SSLCertificateKeyFile /and so forth/letsencrypt/reside/yourdomain/privkey.pem
PEM Files with SSH
PEM recordsdata are additionally used for SSH. If you’ve ever run
ssh-keygen to make use of ssh with out a password, your
~/.ssh/id_rsa is a PEM file, simply with out the extension.
Most notably, Amazon Web Services provides you a PEM file containing a personal key everytime you create a brand new occasion, and it’s essential to use this key to have the ability to SSH into new EC2 cases.
RELATED: How to Add Your EC2 PEM File to Your SSH Keychain
You’ll have to make use of the
-i flag with
ssh to specify that you just wish to use this new key as a substitute of
ssh -i keyfile.pem root@host
This will signal you in to the server as regular, however you’ll need to specify this flag every time.
An simpler methodology is so as to add the non-public key to your ssh-agent with
However, this doesn’t persist throughout reboots, so that you’ll must run this command on startup or add it to your macOS keychain.
Of course, you may additionally at all times merely append your main public key to the occasion’s
~/.ssh/authorized_keys after you’ve signed in as soon as, however this methodology ought to work out of the field for any new cases going ahead.
It’s value noting that it’s best to nonetheless lock down your SSH server even for those who’re utilizing keys your self.
RELATED: What is SSH Agent Forwarding and How Do You Use It?